b'                  Fiscal Year 2005 Evaluation of Information Security\n\n                           at the Railroad Retirement Board \n\n                         Report No. 05-11, September 28, 2005 \n\n\n                                     INTRODUCTION \n\n\nThis report presents the results of the Office of Inspector General\xe2\x80\x99s (OIG) evaluation of\ninformation security at the Railroad Retirement Board (RRB).\n\nBackground\n\nThe RRB administers the retirement/survivor and unemployment/sickness insurance\nbenefit programs for railroad workers and their families under the Railroad Retirement Act\n(RRA) and the Railroad Unemployment Insurance Act (RUIA). These programs provide\nincome protection during old age and in the event of disability, death, temporary\nunemployment or sickness. The RRB paid over $9 billion in benefits during fiscal year\n(FY) 2004.\n\nThe RRB\xe2\x80\x99s information system environment consists of two general support systems and\nsix major application systems. The two general support systems are the data processing\nsystem, which supports all mainframe computing activity; and the end-user computing\nsystem, which supports the agency\xe2\x80\x99s local and wide area networks. The major application\nsystems correspond to the RRB\xe2\x80\x99s critical operational activities: payment of RRA and RUIA\nbenefits, maintenance of compensation and service records, administration of Medicare\nentitlement, financial management, and the RRB\xe2\x80\x99s financial interchange with the Social\nSecurity Administration. Each major application system is comprised of one or more\ncomponent systems.\n\nThis evaluation was conducted pursuant to the E-Government Act of 2002 (P.L. 107-347),\nTitle III, the Federal Information Security Management Act of 2002 (FISMA) which requires\nannual agency program reviews, Inspector General security evaluations, an annual\nagency report to the Office of Management and Budget (OMB), and an annual OMB report\nto Congress. FISMA also establishes minimum requirements for the management of\ninformation security in the following nine areas:\n\n      1.   Assessment of Risk\n      2.   Policies and Procedures\n      3.   Testing and Evaluation\n      4.   Training\n      5.   Security Plans\n      6.   Remedial Action\n      7.   Incident Response Reporting\n      8.   Continuity of Operations\n      9.   Inventory of Systems.\n\x0cA significant deficiency is a weakness in an agency\xe2\x80\x99s overall information system security\nprogram or management control structure, or within one or more information systems, that\nsignificantly restricts the capability of the agency to carry out its mission or compromises\nthe security of its information, information systems, personnel, or other resources,\noperations, or assets. A significant deficiency under FISMA is to be reported as a material\nweakness under the Federal Managers\xe2\x80\x99 Financial Integrity Act (FMFIA).\n\nA reportable condition exists when a security or management control weakness does not\nrise to the level of a significant deficiency, yet is still important enough to be reported to\ninternal management. A security weakness not deemed to be a significant deficiency by\nagency management, yet affecting the efficiency and effectiveness of agency operations,\nmay be considered a reportable condition. A reportable condition under FISMA is not\nreported as a material weakness under FMFIA.\n\nThe OIG previously evaluated information security at the RRB during FYs 2001 through\n2004 and reported weaknesses throughout the RRB\xe2\x80\x99s information security program. The\nOIG cited the agency with significant deficiencies in access controls in the data processing\nand end-user computing environments and in the training provided to staff who have\nsignificant security responsibilities.\n\nObjective, Scope and Methodology\n\nThis evaluation was performed to meet FISMA requirements for an annual OIG evaluation\nof information security that includes:\n\n   1. \t testing of the effectiveness of information security, policies, procedures , and\n        practices of a representative subset of the agency\xe2\x80\x99s information systems; and\n   2. \t an assessment of compliance with FISMA requirements and related information\n        security policies, procedures, standards and guidelines.\n\nTo meet the first requirement, the OIG audited access controls in the RRB\xe2\x80\x99s end-user\ncomputing general support system. We also retained technical specialists to perform\nadditional security tests and evaluations of the agency\xe2\x80\x99s local area network, and internet\noperations used in two major application systems. To meet the second requirement, we\nconsidered the results of prior audits and evaluations of information security during FYs\n2000 through 2005, including the status of related recommendations for corrective action.\nWe also obtained and reviewed documentation supporting the RRB\xe2\x80\x99s performance in\nmeeting FISMA requirements and interviewed responsible agency management and staff.\n\nThe list of current and prior year audits considered by the OIG in performing this\nevaluation is presented in Appendix I.\n\nThe primary criteria for this evaluation were:\n\n   \xe2\x80\xa2 the requirements established by FISMA;\n   \xe2\x80\xa2\t OMB Circular A-130, \xe2\x80\x9cManagement of Federal Information Resources,\xe2\x80\x9d Appendix III,\n      dated November 28, 2000 which established a minimum set of controls to be\n\x0c     included in Federal automated information security programs; assigns Federal\n     agency responsibilities for the security of automated information; and links agency\n     automated information security programs and agency management control systems\n     established in accordance with OMB Circular No. A-123; and\n   \xe2\x80\xa2\t Standards and guidance promulgated by the National Institute for Standards and\n      Technology (NIST).\n\nOur work was performed in accordance with generally accepted government auditing\nstandards as applicable to the objective. Fieldwork was conducted at RRB headquarters\nduring May through August 2005.\n\x0c                               RESULTS OF EVALUATION \n\n\n\nThe RRB is experiencing difficulty in achieving an effective, FISMA compliant security\nprogram. The OIG\xe2\x80\x99s FY 2005 evaluation identified two new significant deficiencies in the\nagency\xe2\x80\x99s security program due to delays in meeting FISMA requirements for risk\nassessments and periodic testing and evaluation. In addition, previously cited significant\ndeficiencies in training and access controls persist. These deficiencies are subject to\nreporting as material weaknesses under the FMFIA.\n\nWe have also identified reportable conditions that require agency action to ensure a fully\neffective, FISMA compliant security program. We observed such weaknesses in the\nagency\xe2\x80\x99s implementation of requirements for risk based policies and procedures, a\nremedial action process, continuity of operations, and inventory of systems.\n\nThe details of our assessment of agency compliance with FISMA requirements and the\nweaknesses disclosed by our tests of the effectiveness of information security follow. We\nhave also reported on agency performance in implementing OMB and NIST requirements\nfor certification and accreditation of information systems which has been adversely\nimpacted by the above cited weaknesses in the FISMA mandated security program.\n\nPeriodic Assessment of Risk\n\nThe RRB has made little progress in implementing an effective risk assessment process, a\nsignificant deficiency in its information security program. The RRB has not documented\ncritical agency determinations concerning risk which drive a FISMA mandated security\nprogram and NIST compliant certification and accreditation process.\n\nFISMA requires periodic assessments of the risk and magnitude of harm that could result\nfrom the unauthorized access, use, disclosure, disruption, modification, or destruction of\ninformation or information systems. Risk assessment is the first step in the risk\nmanagement process. Organizations use risk assessment to determine the extent of the\npotential threat to information and information systems, and to ensure that the greatest\nrisks have been identified and addressed.\n\nFederal Information Processing Standard (FIPS) 199, \xe2\x80\x9cStandards for Security\nCategorization of Federal Information and Information Systems\xe2\x80\x9d and related NIST\nguidance provide a common framework for categorizing systems according to risk. The\nframework establishes three levels of potential impact on organizational operations,\nassets, or individuals should a breach of security occur\xe2\x80\x94high (severe or catastrophic),\nmoderate (serious), and low (limited)\xe2\x80\x94and are used to determine the impact for each of\nthe FISMA-specified security objectives of confidentiality, integrity, and availability. Once\ndetermined, security categories are to be used in conjunction with vulnerability and threat\ninformation in assessing the risk to an organization.\n\nThe RRB has categorized its two general support systems and six major application\nsystems as \xe2\x80\x9chigh potential impact,\xe2\x80\x9d which means, according to FIPS 199, that a breach of\n\x0csecurity in one of these systems has the potential for a severe or catastrophic adverse\neffect on organizational operations, organization assets, or individuals. The RRB has not\ndocumented the initial determination of \xe2\x80\x9chigh impact\xe2\x80\x9d for its general support and major\napplication systems or the ongoing consideration of risk.\n\nThe RRB relies primarily on its Management Control Review process to document the\nassessment of risk in its information systems. That process, implemented to meet FMFIA\nrequirements, does not address the basic elements of an effective risk management\nprogram as described in NIST Special Publication (SP) 800-30, \xe2\x80\x9cRisk Management Guide\nfor Information Technology Systems.\xe2\x80\x9d\n\nIn addition, the RRB\xe2\x80\x99s \xe2\x80\x9cSecurity Handbook\xe2\x80\x9d requires an annual risk assessment for the\nagency\xe2\x80\x99s general support systems and any major application systems categorized as \xe2\x80\x9chigh\nrisk.\xe2\x80\x9d Management control reviews cannot meet this internal requirement because they\nare conducted less than annually.\n\nThe OIG has recommended that the agency ensure complete formal risk assessments be\nprepared in accordance with NIST guidance.1 Agency management has agreed to\n\xe2\x80\x9cdevelop and publish a standardized risk assessment format in accordance with NIST\nguidance to be used in developing formal risk assessments of the components of the\nmajor application and general support systems.\xe2\x80\x9d The agency has established a target\ndate of November 2005 for completion of the guidance; no target date has been\nestablished for completion of the risk assessments.\n\nRecommendation\n\nAgency action to implement prior OIG recommendations for corrective action is pending;\nthe OIG has no additional recommendations to offer at this time.\nRisk Based Policies and Procedures\n\nThe RRB\xe2\x80\x99s policies and procedures need improvement to ensure that they are\ncomprehensive and effective in all areas of the agency\xe2\x80\x99s information security program.\n\nFISMA requires agencies to include risk-based policies and procedures that cost-\neffectively reduce information security risks to an acceptable level and ensure that\ninformation security is addressed throughout the life cycle of each information system in\ntheir information security programs. FISMA also requires each agency to have policies\nand procedures that ensure compliance with minimally acceptable system configuration\nrequirements, as determined by the agency.\n\n\n\n\n1\n    OIG Report #05-08, Recommendation #4\n\x0cDuring our review we observed that the RRB has not developed an agencywide security\nconfiguration policy for their server operating systems or formal policies and procedures\nfor the review of contractor operations. We also noted that the lack of periodic risk\nassessments undermines agency efforts to maintain current, comprehensive policies and\nprocedures. In addition, weaknesses in the implementation of access controls in the end-\nuser computing general support system suggest that the framework of policies and\nprocedures is not fully effective for that system.\n\nRecommendations\n\nWe recommend that the Bureau of Information Services develop:\n       1. an agencywide security configuration policy for server operating systems; and\n       2. \t policy and procedures for the review of contractor operations in accordance with\n            NIST guidance.\n\nManagement\xe2\x80\x99s Response\n\nManagement concurs with the recommendations. In response to recommendation #1, the\nBureau of Information Services plans to develop a policy to use standard and secure\nindustry conventions to install and upgrade Microsoft Windows operating systems on RRB\nservers. In response to recommendation #2, the Bureau of Information Services plans to\npublish an agency security policy on this subject in the RRB Information Systems Security\nPolicy, Standards and Guidelines Handbook.\n\nThe full text of management\xe2\x80\x99s response is included as Appendix II to this report.\n\n\nTesting and Evaluation\n\nThe RRB\xe2\x80\x99s efforts to implement a consistent, FISMA compliant testing and evaluation\nprocess have not been successful. Weaknesses in this process have increased to the\nextent that it now represents a significant deficiency in the agency\xe2\x80\x99s information security\nprogram.\n\nFISMA requires periodic testing and evaluation of the effectiveness of information security\npolicies, procedures, and practices, performed with a frequency depending on risk, but no\nless than annually. The periodic tests and evaluation must include testing of\nmanagement, operational, and technical controls for every system identified in the\nagency\xe2\x80\x99s required inventory of major information systems. NIST special publication (SP)\n800-53 \xe2\x80\x9cRecommended Security Controls for Federal Information Systems\xe2\x80\x9d provides\nguidance in classifying controls.\n\nTests performed during FY 2005 were not sufficient to meet FISMA requirements because\nthey did not include all major application systems and were not comprehensive with\nrespect to all three categories of controls: management, operational and technical. In\naddition, the agency had not performed any tests of contractor operations during the first\n10 months of FY 2005.\n\x0cIn drawing our conclusion concerning compliance in this area, we considered tests\nperformed during FY 2005 by agency personnel, the OIG and technical specialists under\ncontract to the OIG. We also considered tests performed as part of the agency\xe2\x80\x99s\nManagement Control Review process during FY 2005; however, such tests are performed\nless than annually, and do not include sufficient coverage of management, operational,\nand technical controls, as defined by NIST, to meet FISMA requirements.\n\nWe also noted that the RRB has not performed a security self-assessment since FY 2003.\nSecurity self-assessments can be used to meet the minimum requirement for periodic\ntesting and evaluation.\n\nThe OIG has previously recommended management act to ensure that periodic\nindependent evaluations of system security for major applications are performed and to\nensure the quality of security self-assessments.2\n\nRecommendation\n\nAgency action to implement prior OIG recommendations for corrective action is pending;\nthe OIG has no additional recommendations to offer at this time.\n\n\nTraining\n\nAlthough the RRB provides general security awareness training, it has not completed\nplans to ensure that personnel with significant security responsibilities have had\nappropriate training. Accordingly, training remains an area of significant deficiency.\n\nFISMA requires agencies to provide security awareness training to inform personnel,\nincluding contractors and other users of information systems that support the operations\nand assets of the agency, of information security risks associated with their activities as\nwell as their responsibilities in complying with agency policies and procedures designed to\nreduce these risks. In addition to security awareness training, agencies are required to\nprovide appropriate training on information security to personnel with significant security\nresponsibilities.\n\nThe OIG first cited lack of training as a material weakness as a result of its first evaluation\nof information security conducted in FY 2001 when we observed that:\n\n                 Employees with decision-making responsibility for information\n                 system security have not had adequate formal training in its\n                 theory, principles and practice. As a result, some employees\n                 do not have an adequate knowledge base to support the\n                 security-related decisions required by their positions.\n\n\n2\n    OIG Report #02-04, Recommendation #3\n    OIG Report #03-02, Recommendations #1, #2, #3, and #4\n\x0cAt that time, the OIG recommended that management develop and implement a plan to\nprovide security specific training to agency employees who have decision-making\nresponsibilities for information systems and, specifically, to personnel with responsibility\nfor administration of the agency\xe2\x80\x99s local and wide area networks.3 The Bureau of\nInformation Services has advised us that it has identified employees who require security-\nspecific training, developed a role-based security training curriculum and begun the\ntraining process.\n\nRecommendation\n\nAgency action to implement prior OIG recommendations for corrective action is pending;\nthe OIG has no additional recommendations to offer at this time.\n\n\nSecurity Plans\n\nFISMA requires that agencies maintain subordinate plans for providing adequate\ninformation security for networks, facilities, and systems or groups of information systems.\nThe OIG did not identify any significant deficiencies or reportable conditions in this area of\nprogram management during FY 2005.\n\n\nRemedial Action Process\n\nThe RRB needs to improve its Plan of Action and Milestones to ensure that its remedial\naction process is sufficient to meet FISMA and OMB requirements.\n\nFISMA requires Federal agencies to maintain a process for planning, implementing,\nevaluating, and documenting remedial action to address any deficiencies in the\ninformation security policies, procedures, and practices of the agency.\n\nThe OIG previously recommended that the RRB review and revise its remedial action\nprocess because we had concluded that the Plan of Action and Milestones was not an\neffective tool for identifying vulnerabilities and monitoring agency corrective actions\naccording to criteria established by OMB.4 Management disagreed with the finding stating\nthat:\n\n                 The POA&M was designed by the Office of Management and\n                 Budget (OMB) to fulfill their reporting requirements \xe2\x80\xa6 We have\n                 received no feedback from OMB to indicate the reports are\n                 insufficient or inadequate.\n\nIn our opinion, the RRB\xe2\x80\x99s Plan of Action and Milestones is less effective now than when\nwe first cited it as a deficiency in FY 2003. During FY 2005, the RRB\xe2\x80\x99s plan was not\ncomprehensive with respect to identified weaknesses and was not driven by internal risk\n\n3\n    OIG Report #02-04, Recommendations #1 and #14\n4\n    OIG Report #03-11, Recommendation #1\n\x0cassessments and control evaluations. We also observed that the existing plan does not\ndemonstrate prioritization of agency plans and efforts to correct information security\nweaknesses.\n\nRecommendation\n\n         3. \t We recommend that the RRB review and revise its remedial action process to\n              ensure that all security weaknesses are included in the agencywide Plan of\n              Action and Milestones and ensure that the plan demonstrates the prioritization\n              of agency remediation efforts.\n\nManagement\xe2\x80\x99s Response\n\nManagement concurs in principle with the recommendation. Although management\nprefers a different approach to governance, the Bureau of Information Services has\nagreed to modify the agency\xe2\x80\x99s Plan of Action and Milestones to reflect outstanding security\nrecommendations and to update it with sufficient summarized detail to permit oversight\nand tracking of agency remediation progress.\n\nThe full text of management\xe2\x80\x99s response is included as Appendix II to this report.\n\n\nIncident Response Reporting\n\nFISMA requires that Federal agencies implement procedures for detecting, reporting, and\nresponding to security incidents. The OIG did not identify any significant deficiencies or\nreportable conditions in this area of program management during FY 2005.\n\n\nContinuity of Operations\n\nAgency action has not yet fully addressed prior OIG findings that some aspects of its\ndisaster recovery plan are outdated and incomplete and that disaster recovery tests have\nnot consistently included LAN/WAN applications other than establishing connectivity and\ngeneral administration.\n\nFISMA requires Federal agencies to implement plans and procedures to ensure continuity\nof operations for information systems that support the operations and assets of the\nagency.\n\nIn FY 2001, the OIG recommended that the RRB complete installation of the mainframe\nsoftware that will back up LAN server contents; and in FY 2002, that the agency update its\noverall disaster recovery plan and ensure that all decisions related to the disaster recovery\ncontract be formally documented.5\n\n5\n    OIG Report #01-01, Recommendation #14\n    OIG Report #02-04, Recommendation #6\n    OIG Report #02-12 Recommendation #3\n\x0cRecommendation\n\nAgency action to implement prior OIG recommendations for corrective action is pending;\nthe OIG has no additional recommendations to offer at this time.\n\n\nInventory of Systems\n\nThe RRB needs to improve its process for inventorying information systems.\n\nFISMA established a requirement that each agency develop, maintain, and annually\nupdate an inventory of major information systems operated by the agency or that are\nunder its control. This inventory is to include an identification of the interfaces between\neach system and all other systems or networks, including those not operated by or under\nthe control of the agency.\n\nThe RRB has not compiled a reliable inventory that identifies component applications\noperating in the end-user computing general support system, the related server locations\nor the security administrators. The RRB has defined its major application systems by the\nfunctional area of agency operations that they support, for example \xe2\x80\x9cPayment of Railroad\nRetirement Act Benefits.\xe2\x80\x9d Each major application is comprised of many subordinate\ncomponent systems of which a complete and accurate inventory does not exist. Each\nsubordinate component system needs to be considered if the agency\xe2\x80\x99s overall security\nprogram is to be effective.\n\nSystem inventories are maintained by several different organizational units but their efforts\nare not coordinated or consistent. In FY 2005, the OIG recommended that the agency\ntake action to improve its systems inventory by compiling an official inventory of individual\ncomponent systems that comprise the major application systems, identify the servers on\nwhich the LAN systems operate, as well as the official responsible for each system.6\n\nRecommendation\n\nAgency action to implement prior OIG recommendations for corrective action is pending;\nthe OIG has no additional recommendations to offer at this time.\n\n\nImplementation of Security\n\nThe design and implementation of access controls in the RRB\xe2\x80\x99s general support and\napplication systems is not adequate to meet minimum standards established by OMB A-\n130, Appendix III, which represents a significant deficiency in the agency\xe2\x80\x99s information\nsecurity program.\n\n\n\n6\n    OIG Report #05-08, Recommendations #1, #2, and #3\n\x0cThe OIG first cited access controls as an area of material weakness in its FY 2001 \n\nevaluation of information security. The OIG initially identified weaknesses in the \n\nmanagement of user accounts and passwords in the data processing and end-user \n\ncomputing general support systems. We have reported on the inability of existing facilities \n\nto support detailed third-party security evaluations of LAN user accounts and privileges. \n\nPrior reviews of information security in mainframe-based component systems disclosed \n\nthat the process of reviewing and re-authorizing access to these systems was not fully \n\neffective. \n\n\nDuring FY 2005, the OIG performed detailed tests of user privileges in the end-user \n\ncomputing general support system; each of the 45 randomly selected employees in the \n\nsample had been granted privileges in excess of those required for their jobs. These \n\nprivileges ranged from actions that should only be performed by an administrator to the \n\nability to read, write, execute or delete files when a lesser privilege (or no privilege) would \n\nhave been sufficient. \n\nWe have recommended that the agency establish policies for the management of certain \n\nhigh-risk LAN accounts, take action to eliminate systemic weaknesses caused by the use\n\nof global groups to grant LAN system access, and perform reviews of system administrator \n\nactivities.7\n\n\nRecommendation\n\n\nAgency action to implement prior OIG recommendations for corrective action is pending;\nthe OIG has no additional recommendations to offer at this time.\n\nCertification and Accreditation\n\nExisting agency procedures are inadequate to meet OMB requirements for authorizing\ninformation systems to process, and accepting the associated risk. The agency has not yet\nimplemented a NIST compliant certification and accreditation program; the OIG has\npreviously found that current procedures are not an adequate substitute. Although the RRB\nbelieves it has a satisfactory process in place, existing agency procedures are not adequate\nbecause they do not place responsibility at a high enough level of agency management and\nare not supported by adequate risk assessment and testing processes.\n\nAlthough system authorization is not a FISMA requirement, OMB asks agencies to report on\ntheir certification and accreditation process as part of the FISMA reporting process. For FY\n2005, OMB requires agencies to report the number of systems authorized for processing\nafter completing certification and accreditation. OMB also requests that the Inspectors\nGeneral assess the quality of their agency\xe2\x80\x99s certification and accreditation process.\n\n7\n    OIG Report #02-04, Recommendation #13 and #24\n    Blackbird Technologies, Inc., report dated 07/20/01, Recommendation #5\n    Blackbird Technologies, Inc., report dated 08/17/01, Recommendations #5a,#5b, and #5c\n    OIG Report #04-07, Recommendation #1, #3, and #4\n    OIG Report #04-08, Recommendation #1\n    OIG Report #04-09, Recommendation #1\n    OIG Report # 04-11, Recommendations #1, #2, and #3\n    OIG Report # 05-08, Recommendations #6, #10, #11, #13, #14, and #15\n\x0cOMB\xe2\x80\x99s policy for federal information security requires that agency management officials\nformally authorize their information systems to process information and, thereby, accept\nthe risk associated with their operation. This management authorization (accreditation) is\nto be supported by a formal technical evaluation (certification) of the management,\noperational, and technical controls established in an information system\xe2\x80\x99s security plan. In\nMay 2004, NIST released Special Publication (SP) 800-37, \xe2\x80\x9cGuide for the Security\nCertification and Accreditation of Federal Information Systems\xe2\x80\x9d which provides guidelines\nfor the security certification and accreditation of information systems supporting the\nexecutive agencies of the federal government.\n\nIn FY 2004, OMB mandated that agencies use a process consistent with NIST SP 800-37\nwhen authorizing (or re-authorizing) systems after May 2004. NIST SP 800-37 states that\nthe \xe2\x80\x9cassessment of risk and the development of system security plans are two important\nactivities in an agency\xe2\x80\x99s information security program that directly support security\naccreditation \xe2\x80\xa6\xe2\x80\x9d That same year, OMB eliminated separate reporting on risk\nassessments and security plans; instead, the performance measure for certification and\naccreditation was revised to include the use of the FIPS 199 to determine an impact level,\nas well as associated NIST documents used as guidance for completing risk assessments\nand security plans.\n\nSecurity certification is a comprehensive assessment of the management, operational, and\ntechnical security controls in an information system, made in support of security\naccreditation, to determine the extent to which the controls are implemented correctly,\noperating as intended, and producing the desired outcome with respect to meeting the\nsecurity requirements for the system. The results of a security certification are used to\nreassess the risks and update the system security plan, thus providing the factual basis for\nan authorizing official to render a security accreditation decision.\n\nSecurity accreditation is the official management decision given by a senior agency official\nto authorize operation of an information system and to explicitly accept the risk to agency\noperations, agency assets, or individuals based on the implementation of an agreed-upon\nset of security controls.\n\nThe OIG previously recommended that the RRB implement a formal certification and\naccreditation process that would place the acceptance of system security risk with a higher\nlevel of management.\n\nAlthough the OIG\xe2\x80\x99s recommendation pre-dated OMB\xe2\x80\x99s mandate of compliance with NIST\nSP 800-37, which was still in draft, certification and accreditation was already required by\nOMB Bulletin A-130, Appendix III. In addition, the NIST SP 800-37 requirement that\naccreditation be \xe2\x80\x9cgiven by a senior agency official\xe2\x80\x9d who \xe2\x80\x9cshould have the authority to\noversee the budget and business operations of the information system\xe2\x80\x9d was not new.\nFederal Information Processing Standard (FIPS) 102, \xe2\x80\x9cGuideline for Computer Security\nCertification and Accreditation,\xe2\x80\x9d issued in September 1983, stated that \xe2\x80\x9caccrediting officials\nmust also possess authority to allocate resources to achieve acceptable security and to\nremedy security deficiencies.\xe2\x80\x9d\n\x0cAgency management rejected the OIG\xe2\x80\x99s recommendation when it was first offered in FY\n2003 but agreed to implement the recommendation when it was offered again in FY 2004.8\nEarlier in this report, we discussed weaknesses in the RRB\xe2\x80\x99s risk assessment and testing\nprocesses which we consider significant deficiencies in the agency\xe2\x80\x99s security program.\nRisk assessment and control testing are critical elements of certification and accreditation.\nWeaknesses in these two areas need to be corrected so that the RRB can implement a\nNIST compliant certification and accreditation process.\n\nRecommendation\n\nAgency action to implement prior OIG recommendations for corrective action is pending;\nthe OIG has no additional recommendations to offer at this time.\n\n\n\n\n8\n    OIG Report #03-10, dated September 8, 2003, Recommendation #6\n    OIG Report #04-11, dated September 30, 2004, Recommendation #9\n\x0c                                                                                  Appendix I\n                              Related Audit and Evaluations\n\nOur evaluation included consideration of the findings and recommendations of audits,\nevaluations and assessments of information security conducted in the current and prior\nyears.\n\nFY 2005 Reports\n\n   \xe2\x80\xa2\t \xe2\x80\x9cU.S. Railroad Retirement Board (RRB), Local Area Network Security Scan, Security\n      Test and Evaluation Report,\xe2\x80\x9c June 7, 2005, DSD Laboratories\n   \xe2\x80\xa2\t \xe2\x80\x9cU.S. Railroad Retirement Board (RRB) Local Area Network, Security Test and\n      Evaluation Report,\xe2\x80\x9c June 7, 2005, DSD Laboratories\n   \xe2\x80\xa2\t \xe2\x80\x9cU.S. Railroad Retirement Board (RRB), Railroad Unemployment Insurance Act\n      Network (RUIANET), Security Test and Evaluation Report,\xe2\x80\x9c June 7, 2005, DSD\n      Laboratories\n   \xe2\x80\xa2\t \xe2\x80\x9cU.S. Railroad Retirement Board (RRB), Employer Reporting System (ERS),\n      Security Test and Evaluation Report,\xe2\x80\x9c June 7, 2005, DSD Laboratories\n   \xe2\x80\xa2\t \xe2\x80\x9cReview of Access Controls in the End-User Computing General Support System,\xe2\x80\x9d\n      OIG Report #05-08, July 18, 2005\n\nPrior Year Reports\n\n   \xe2\x80\xa2\t \xe2\x80\x9cInformation Systems Security Assessment Report,\xe2\x80\x9d Defensive Information\n      Operations Group, National Security Agency, June 28, 2000\n   \xe2\x80\xa2\t \xe2\x80\x9cReview of RRB\xe2\x80\x99s Compliance with the Critical Infrastructure Assurance Program,\xe2\x80\x9d\n      August 9, 2000, OIG Report #00-13\n   \xe2\x80\xa2\t \xe2\x80\x9cReview of Document Imaging Railroad Unemployment Insurance Act Programs,\xe2\x80\x9d\n      November 17, 2000, OIG Report #01-01\n   \xe2\x80\xa2    \xe2\x80\x9cSite Security Assessment,\xe2\x80\x9d Blackbird Technologies, Inc., July 20, 2001\n   \xe2\x80\xa2    \xe2\x80\x9cSecurity Controls Analysis,\xe2\x80\x9d Blackbird Technologies, Inc., August 17, 2001\n   \xe2\x80\xa2\t \xe2\x80\x9cReview of Information Security at the Railroad Retirement Board,\xe2\x80\x9d February 5,\n      2002, OIG Report #02-04\n   \xe2\x80\xa2\t \xe2\x80\x9cReview of the Railroad Retirement Board\xe2\x80\x99s Controls Over the Access, Disclosure,\n      and Use of Social Security Numbers by Third Parties,\xe2\x80\x9d August 26, 2002, OIG\n      Report #02-11\n   \xe2\x80\xa2\t   \xe2\x80\x9cFiscal Year 2002 Evaluation of Information Security at the Railroad Retirement\n        Board,\xe2\x80\x9d August 27, 2002, OIG Report #02-12\n   \xe2\x80\xa2\t   \xe2\x80\x9cEvaluation of the Self-Assessment Process for Information System Security,\xe2\x80\x9d\n        December 27, 2002, OIG Report #03-02\n   \xe2\x80\xa2\t \xe2\x80\x9cEvaluation of RRB E-Government Initiative: RUIA Contribution Internet Reporting\n      and Payment,\xe2\x80\x9d December 27, 2002, OIG Report #03-03\n\x0c                                                                            Appendix I\n                           Related Audit and Evaluations\n\n\xe2\x80\xa2\t   \xe2\x80\x9cReview of the Railroad Retirement Board\xe2\x80\x99s PIN/Password System for On-Line\n     Authentication,\xe2\x80\x9d September 8, 2003, OIG Report #03-09\n\xe2\x80\xa2\t \xe2\x80\x9cReview of the Systems Development Life Cycle for End-User Computing,\xe2\x80\x9d\n   September 8, 2003, OIG Report #03-10\n\xe2\x80\xa2\t   \xe2\x80\x9cFiscal Year 2003 Evaluation of Information Security at the Railroad Retirement\n     Board,\xe2\x80\x9d September 15, 2003, OIG Report #03-11\n\xc2\x83    \xe2\x80\x9cReview of Mainframe Access Controls at the Application Level: Federal Financial\n     System,\xe2\x80\x9d September 07, 2004, OIG Report #04-07\n\xe2\x80\xa2\t \xe2\x80\x9cReview of Mainframe Access Controls at the Application Level: RRB-Developed\n   Applications Controlled by ACF2 and IDMS,\xe2\x80\x9d September 07, 2004, OIG Report\n   #04-08\n\xc2\x83    \xe2\x80\x9cReview of Mainframe Access Controls at the Application Level: Program Accounts\n     Receivable System,\xe2\x80\x9d September 09, 2004, OIG Report #04-09\n\xc2\x83    \xe2\x80\x9cFiscal Year 2004 Evaluation of Information Security at the Railroad Retirement\n     Board,\xe2\x80\x9d September 30, 2004, OIG Report #04-11\n\x0c       Appendix II\n\n\n\n\n-16-\n\x0c-17-\n\x0c'